Private members-only forum
ForumContracts & Agreements

do I need a BAA before my first healthcare SaaS pilot?

Started by founder_meera_h · Apr 23, 2026 · 198 views · 3 replies
For informational purposes only. This is not legal advice. Laws vary by jurisdiction. Consult a qualified attorney for advice specific to your situation.
FM
founder_meera_h OP Apr 23, 2026

building a SaaS for small mental health practices — patient intake automation. signing first paid pilot next week with a 4-therapist clinic in austin. they keep asking about a BAA and i'm honestly unsure what i'm signing up for. our app touches PHI clearly (names, intake answers, scheduling).

do i need to have a BAA template ready? do they typically provide one? AWS already has one in place at our infra layer. is that enough?

SK
SarahK_TX Apr 23, 2026

healthcare ops here, formerly. the AWS BAA covers their layer (infra) but you as the application provider are a "business associate" under HIPAA, and the covered entity (the clinic) needs a BAA WITH YOU directly. AWS BAA does not flow through.

you'll want your own BAA template ready. the clinic will probably push their template at you but read it carefully — clinic templates often have indemnification clauses that are punishing for startups.

RV
revcycle_pro_19 Apr 23, 2026

+1 to the above. if you let the clinic provide the BAA you're at their mercy. write your own with reasonable liability caps (cap at fees paid in last 12 months is standard) and require them to sign yours OR negotiate theirs.

ST
SergeiTokmakov Counsel Apr 24, 2026

I'm Sergei Tokmakov, California attorney (Bar #279869). I help healthcare SaaS founders structure exactly this. Quick framework:

You're correct that AWS's BAA covers the infrastructure layer (S3, EC2, RDS) — but you are a separate business associate under 45 CFR 160.103, and the covered entity (the clinic) is required to have a BAA in place with you before disclosing PHI. The AWS BAA flows downstream as part of your subcontractor BAA chain, but does not substitute for your direct BAA with the customer.

Practical pre-launch checklist: (1) BAA template (your own, with reasonable liability caps), (2) Privacy Policy and Notice of Privacy Practices coverage, (3) Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A), (4) breach notification SOP, (5) workforce training records, (6) access logs and audit controls. The Healthcare SaaS legal package I do flat-fee at $2,500 covers the BAA template plus the SaaS subscription agreement, privacy policy, and basic compliance documentation — happy to share more if useful.

You can also model HIPAA breach exposure here: not legal advice, but practical sequencing matters more than perfect documents on day one. Get the BAA right, get the basics in place, iterate.

Related from Terms.Law

Healthcare SaaS HubHub SaaS Agreement Review ServiceService